Re: MSIE integer overflows

["Berend-Jan Wever" <SkyLined () edup tudelft nl>]

Yes:
--
i=32*256*256*256*256*256*256*256;
a=i;
b=i+1;
alert(a+'=='+b+' evaluates to '+(a==b));
--
evaluates to true

Berend-Jan Wever

----- Original Message ----- 
From: "xenophi1e" <oliver.lavery () sympatico ca>
To: <vuln-dev () securityfocus com>
Sent: Wednesday, May 14, 2003 19:02
Subject: Re: MSIE integer overflows


> In-Reply-To: <004e01c319fb$7ec41050$0100a8c0@grotedoos>
>
>
>
> > Not true: "++i" will increase i first and return the result of that
>
> > increased i where "i++" will return i and then increase it:
>
> > -- example.js --
>
> > var i=1;
>
> > document.write(++i); // prints 2, i=2;
>
> > document.write(i++); // prints 2, i=3;
>
> > -- cut here --
>
> >
>
>
>
> Yes, of course.
>
>
>
> Again, I'm talking about C here, simply because I don't know JS to this 
>
> level of detail. But...
>
>
>
> document.write((i==++i) + ' ' + (i==++i) + '<BR>');
>
>
>
> Seems like ambiguous code that might rely on unspecified behaviours. 
>
> Postincrement and preincrement are gotchas in C. For example the 
>
> following code:
>
>
>
> i = 2;
>
> printf ("%d", i++ * i++);
>
>
>
> Often does not print 6 as you might think, but rather prints 4. The 
>
> reason is that the postincrement operator increments the values before 
>
> the next sequence point, not necessarily the next _operation_.
>
>
>
> I was just pointing out that using expressions like i == ++i s
> eems a bit 
>
> suspect. I'm not certain, but I believe a C compiler is free to do both 
>
> increments prior to the rest of the expression. It does seem like it 
>
> should always be a tautology, though. 
>
>
>
> Do you get the same results if you write the same code less ambiguously?
>
>
>
> Cheers,
>
> ~ol